Did the NSA Know about Spectre and Meltdown?

White House cybersecurity coordinator Rob Joyce, who formerly worked at the NSA, has said the agency had no knowledge of the Spectre or Meltdown vulnerabilities in Intel processors that came to light last week. Andy Greenberg reports in WIRED:

On Friday, White House cybersecurity coordinator Rob Joyce, a former senior NSA official, told The Washington Post that the NSA didn’t know about Spectre and Meltdown and had never exploited the flaws. Joyce has also touted a move to reveal more about the NSA’s rules for disclosing vulnerabilities it finds, a policy known known as the Vulnerabilities Equities Process.

Despite the almost uncanny anecdotal evidence for bug rediscovery that Spectre and Meltdown represent, it’s far from clear just how common that phenomenon has become. The Harvard Study co-authored by Bruce Schneier, for one, examined a trove of bug report data containing 4,300 vulnerabilities. Fourteen percent of Android vulnerabilities were reported again within just 60 days of their initial discovery, and around 13 percent of Chrome bugs. “For the NSA, holding onto vulnerabilities is way more dangerous than you’d think, given the raw numbers,” Schneier says.

It is possible the NSA didn’t know of the vulnerabilities, but Greenberg also reports that Schneier says if the NSA did find it, it’s likely that other nations knew about the vulnerability as well. Greenberg writes:

So when the NSA finds a so-called zero-day vulnerability—a previously unknown hackable flaw in software or hardware—Schneier argues that tendency for rediscovery needs to factor into whether the agency stealthily exploits the bug for espionage, or instead reports it to whatever party can fix it. Schneier argues bug collisions like Spectre and Meltdown mean they should err on the side of disclosure: According to rough estimates in the Harvard study he co-authored , as many as one third of all zero-days used in a given year may have first been discovered by the NSA.

“If I discover something lying dormant for 10 years, something made me discover it, and something more than randomly will make someone else discover it too,” Schneier says. “If the NSA discovered it, it’s likely some other intelligence agency likely discovered it, too—or at least more likely than random chance.”